Skills
skills/biggora/claude-plugins-registry/gemini-cli/Gen Agent Trust Hub

gemini-cli

Pass

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [INDIRECT_PROMPT_INJECTION]: The skill documents the Gemini CLI's ability to ingest untrusted external data (via URLs and local files) and process it with high-privilege tools, creating a surface for indirect prompt injection.
  • Ingestion points: The @ reference syntax (e.g., @https://example.com) and the web_fetch built-in tool allow the agent to pull external content into its prompt context.
  • Boundary markers: No explicit boundary markers or instructions to ignore embedded directives are included in the documentation examples for handling external data.
  • Capability inventory: The tool provides capabilities including run_shell_command, write_file, read_file, and replace across various configuration files like settings.json and .toml commands.
  • Sanitization: There is no mention of sanitizing or validating external content before it is processed by the model or used in shell command prompts.
  • [DYNAMIC_EXECUTION]: The documentation describes the !{command} syntax used in custom .toml slash commands and MCP server configurations, which allows for shell command execution. While a core feature of the Gemini CLI, this presents a risk if commands are dynamically generated or used with the --auto-approve flag without manual review.
  • [EXTERNAL_DOWNLOADS]: The skill references the installation of CLI extensions and MCP servers from external repositories (e.g., GitHub). These references target trusted organizations and well-known services, such as official Google Cloud Platform and Model Context Protocol repositories.
Audit Metadata
Risk Level
SAFE
Analyzed
May 17, 2026, 05:46 AM
Security Audit — agent-trust-hub — gemini-cli